arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Dns over https
4 min read

Dns over https

DNS over HTTPS est un protocole permettant d’effectuer une résolution DNS à distance via le protocole HTTPS.
Dns over https

Définition

DNS over HTTPS est un protocole permettant d’effectuer une résolution DNS à distance via le protocole HTTPS.
Voici une implémentation afin d’autohéberger un service DNS Over HTTPS.

Fonctionnement (simplifié)

+------------+  (requete dns overhttps)  +-------------+
| navigateur | ------------------------> | nginx https |
+------------+                           +-------------+
                                                |
                                                |  (requete doh-server)
                                                |
                                         +-------------+
                                         |  doh-server |
                                         +-------------+
                                                |
                                                |  (requete dns)
                                                |
                                         +------------+
                                         | Server DNS |
                                         +------------+

 

Installation: Ubuntu 16.04

Pour Debian, Centos, Ubuntu>16.04 ou autre, la démarche est la même.

Il faut télécharger et installer doh-server ou le compiler: github.

dpkg -i doh-server_2.0.1_amd64.deb

Configuration du server doh-server:

  • upstream : vos serveurs DNS (bind ou autre), ici ce sont les 2 ips opendns.
  • verbose : Mettre a true pour debugger dans syslog (sinon remettre à false)
  • On bind le service sur le l’ip privé de mon serveur 192.168.10.4
  • Le certificat est généré en amont sur le reverse proxy
root@ubuntu:/etc/dns-over-https# more doh-server.conf 
# HTTP listen port
listen = [
    "127.0.0.1:8053",
    "[::1]:8053",
    "192.168.10.4:8053",
]

# TLS certification file
# If left empty, plain-text HTTP will be used.
# You are recommended to leave empty and to use a server load balancer (e.g.
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
# Stapling, which is necessary for client bootstrapping in a network
# environment with completely no traditional DNS service.
cert = ""

# TLS private key file
key = ""

# HTTP path for resolve application
path = "/dns-query"

# Upstream DNS resolver
# If multiple servers are specified, a random one will be chosen each time.
#upstream = [
#    "1.1.1.1:53",
#    "1.0.0.1:53",
#    "8.8.8.8:53",
#    "8.8.4.4:53",
#]

upstream = [
     "208.67.222.222:53",
     "208.67.220.220:53",
]

# Upstream timeout
timeout = 10

# Number of tries if upstream DNS fails
tries = 3

# Only use TCP for DNS query
#tcp_only = false
tcp_only = false

# Enable logging
#verbose = false
verbose = true 

# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
# Note: http uri/useragent log cannot be controlled by this config
log_guessed_client_ip = true 
  • On ajoute le service au démarrage de la machine et on le démarre
systemctl enable   doh-server
systemctl restart  doh-server

Configuration NGINX en frontale

  • Création d’un fichier de conf pour la configuration du site https://mondnsoverhttps.fr
  • Ajout d’un auth_basic pour ne pas laisser mon dns ouvert à tous.
upstream dns-backend {
    server 192.168.10.4:8053;
}

server {
    listen 443 ssl http2;
    server_name  mondnsoverhttps.fr; 
	access_log /var/log/nginx/mondnsoverhttps.fr.log combined;	

	location /dns-query {
		auth_basic "niet";
		auth_basic_user_file /etc/nginx/passwd;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_redirect off;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400;
        proxy_pass http://dns-backend/dns-query ;
        }

.....




Configuration du navigateur

Dans Préférences/Paramètres de connexion de Firefox.

a

Ajoutez https://login:mdp@mondnsoverhttps.fr/dns-query

Test et Debug

  • lors d’une requête DNS du navigateur:
root@ubuntu:/etc/dns-over-https# tcpdump host 208.67.222.222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:10:15.198973 IP 192.168.10.4.49917 > resolver1.opendns.com.domain: 22816+ [1au] A? www.google.com. (51)
13:10:15.220176 IP resolver1.opendns.com.domain > 192.168.10.4.49917: 22816 1/0/1 A 216.58.204.100 (59)
13:10:16.429722 IP 192.168.10.4.54204 > resolver1.opendns.com.domain: 6866+ [1au] A? linuxfr.org. (48)
13:10:16.530155 IP resolver1.opendns.com.domain > 192.168.10.4.54204: 6866 1/0/1 A 88.191.250.176 (56)
13:10:16.611363 IP 192.168.10.4.36449 > resolver1.opendns.com.domain: 23736+ [1au] A? ocsp.int-x3.letsencrypt.org. (64)
13:10:16.700923 IP resolver1.opendns.com.domain > 192.168.10.4.36449: 23736 4/0/1 CNAME ocsp.int-
x3.letsencrypt.org.edgesuite.net., CNAME a771.dscq.akamai.net., A 104.123.50.43, A 104.123.50.123 (174)
13:10:16.740028 IP 192.168.10.4.57706 > resolver1.opendns.com.domain: 50387+ [1au] A? ocsp.int-x3.letsencrypt.org.edgesuite.net. (78)
13:10:16.823159 IP resolver1.opendns.com.domain > 192.168.10.4.57706: 50387 3/0/1 CNAME a771.dscq.akamai.net., A 104.123.50.43, A 104.123.50.123 (133)
13:10:17.239958 IP 192.168.10.4.56057 > resolver1.opendns.com.domain: 25580+ [1au] A? img.linuxfr.org. (52)
13:10:17.314693 IP resolver1.opendns.com.domain > 192.168.10.4.56057: 25580 2/0/1 CNAME prod.linuxfr.org., A 88.191.250.176 (79)
  • Log NGINX:
[09/Dec/2019:13:48:01 +0100] "POST /dns-query HTTP/2.0" 200 63 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71
.0"

Un petit pas supplémentaire pour la confidentialité de vos navigation web.

Photo by Markus Spiske on Unsplash

You've successfully subscribed to le 5eme Axe.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.